CEHv8 Module 07 Viruses and Worms.pdf

7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf

1/106

Viruses and Worms

Module 07


2/106

Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s

V iruses and Worms

M o d u l e 0 7

Engineered by Hackers. Presented by Professionals.

M

E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8

M o d u l e 0 7 : V ir u s e s a n d W o r m s

E x a m 3 1 2 - 5 0

Mo dule 07 Page 1007 Ethical Hacking and Coun termea sures Copyright by EC-C0linCil

All Rights Reserved. Reproduction is Strictly Prohibited.


3/106


CEHSecurity New s

I GlobalResearch

H ome P roduc t s A bou t 5rv*ccs Octo ber 19, 201 2

Globa l Cyber -War fa re Tac t i c s : New F lame- l inked

M a l w a re u s e d i n C y b e r -Es p i o n a g e

A new cyb er espionage program l inked to the noto r ious Flame and Gauss m alware has been detecte d by Russia 's Kaspersky Lab.

The anti -vi rus g iant 's ch ief warns that g lobal cyber w ar fare is in "fu l l s wing " and w i l l probably escalate in 2013.

The virus, dubbed m in iFlame, and a lso know n as SPE, has a lready in fec ted com puters in Iran, Lebanon, France, the U nited

States and L i thuania. I t was d iscovered in Ju ly 2012 and is descr ibed as "a s mall and highly flexible malicious program designed

to steal data and control infecte d systems during target ed cyber espionage operations," Kaspersky Lab said in a statem ent po sted

on i ts we bs i te .

The malw are was or ig ina l ly identi f ied as an appendage of Flame - the program used for targeted cyber espionage in the M iddle

East and acknow ledged to be par t o f jo in t US - lsrael i e ffor ts to underm ine Iran 's nuclear program.

But la ter , Kaspersky Lab analysts d iscovered tha t min iFlam e is an "interoperable tool that could be used as an independent

malicious program , o r concurrently as a plug-in fo r both th e Flame and Gauss malw are."

^ ^ ^ ^ T h e a n a l y s i s a l so s ho w e d n e w e vi de nc e o f c o o p e ra t io n b et w e e n t h e c r ea t or s o f F la me a n d G a u s s ^ ^ ^ ^ ^

ht tp ://w ww. globa/research, ca

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibit ed.

S e c u r i ty N e w s

an M M G l o b a l C y b e r - W a r f a r e T a c t i c s : N e w F l a m e - l i n k e dM a l w a r e u s e d i n C y b e r - E s p i o n a g e

Source: h t t p : / / w w w . g l o b a l r e s e a r c h . c a

A new cyber esp ionage p rogram l i nked to the no to r ious F lame and Gauss ma lware has been

de tec te d by Russia' s Kaspersky Lab . The an t i v i rus g ian t ' s ch ie f warns tha t g loba l cyber w ar fa re

is in " fu l l swing" and probably escala te in 2013.

The v i rus, dubbed min iFlame, and a lso known as SPE, has a l ready in fected computers in I ran,

Lebanon, France, the Uni ted States, and L i thuania. I t was d iscovered in Ju ly 2012 and is

descr ibed as "a smal l and h igh ly f lex ib le mal ic ious program designed to stea l data and contro l

i n fec ted sys tems dur ing ta rge ted cyber esp ionage opera t ions , " Kaspersky Lab sa id i n as ta tement pos ted on i t s webs i te .

The ma lware was o r ig ina l l y i den t i f i ed as an appendage o f F lame, the p rogram used fo r

ta rge te d cy ber esp ionage in the Mid d le Eas t and ackno wledged to be pa r t o f j o in t US- l srael i

e f f o r t s t o u n d e r m i n e I r a n' s n u c l e a r p r o g r a m .

Ethical Hacking and Countermeasures Copyright by EC-C0UnCil


Module 07 Page 1008
http://www.globalresearch.ca/http://www.globalresearch.ca/


4/106


But l a te r , Kaspersky Lab ana lys ts d i scovered tha t m in iF lam e is an " in te r ope rab le to o l th a t cou ld

be used as an independen t ma l i c ious p rogram, o r concur ren t l y as a p lug - in fo r bo th the F lame

and Gauss m a lwa re . "

The ana lys i s a l so showed new ev idence o f coopera t ion be tween the c rea to rs o f F lame and

Gauss, as both v i ruses can use min iFlame for the i r operat ions.

"M in iF lam e's ab i l i ty to be used as a p lug- in by e i th er Flame or Gauss c lear ly conn ects the

co l labora t ion be twe en the d eve lopm ent teams o f bo th F lame and Gauss . S ince the conn ect ion

be tween F lame and S tuxne t /Duqu has a l ready been revea led , i t can be conc luded tha t a l l these

advanced th rea ts come f rom the same ' cyber war fa re ' fac to ry , " Kaspersky Lab sa id .

H i g h - p r e c i s i o n a t t a c k t o o l

So fa r j us t 50 to 60 cases o f i n fec t ion have been de tec ted w or ldw ide , accord ing to Kaspersky

Lab. But un l ike Flame and Gauss, min iFlam e in mea nt for insta l la t io n on ma chines a l ready

in fec ted by those v i ruses .

"M in iF lam e is a h igh -p rec is ion a t tack too l . M ost l i ke l y i t is a ta rge te d cy ber wea pon used inw ha t can be de f ined as the second wave o f a cyber a t tac k , " Kaspersky' s Ch ie f Secur i ty Exper t

A lexande r Gostev exp la ined .

"Fi rst , F lame or Gauss are used to in fe ct as ma ny v ict im s as possib le to co l lect large quan t i t ies

o f i n fo rmat ion . A f te r da ta i s co l l ec ted and rev iewed , a po ten t ia l l y i n te res t ing v i c t im i s de f ined

and iden t i f i ed , and min iF lame i s i ns ta ll ed in o rde r to co nduc t mo re in -dep th su rve i l l ance and

cyber -esp ionage . "

The newly -d i scove red m a lwa re can a lso take screensho ts o f an in fec te d co m pu te r wh i le i t is

runn ing a spec i f i c p rog ram o r app l i ca t ion in such as a web b rowser , M ic roso f t O f f i ce p rog ram,

Adobe Reader , instant messenger serv ice or FTP cl ient .

Kaspersky Lab be l ieves min iF lame 's deve lopers have p robab ly c rea ted dozens o f d i f fe ren t

mo d i f ica t i o n s o f t h e p r o g r a m. "A t t h is t i me , w e h a ve o n l y f o u n d s ix o f th e se , d a te d 2 0 1 0 - 2 0 1 1 , "

the f i rm said.

C y b e r w a r f a r e i n f u l l s w i n g

Meanwh i le , Kaspersky Lab 's co - founder and CEO Eugene Kaspersky warned tha t g loba l cyber

war fa re tac t i cs a re becoming more soph is t i ca ted wh i le a l so becoming more th rea ten ing . He

u r g e d g o ve r n me n ts t o wo r k t o g e th e r t o f i g h t cyb e r wa r fa r e a n d cyb e r - t e r r o r i sm , X i n h u a n e ws

agency repor ts .

Speak ing a t an In te rna t iona l Te leco mm un ica t ion U n ion Te lecom W or ld con fe ren ce in Duba i,

the an t i v i rus tycoon sa id , "cyb er w ar fa re is i n fu l l sw ing and we expe ct i t to esca la te in 2013 . "

"The la test mal ic ious v i rus a t tack on the wor ld 's largest o i l and gas company, Saudi Aramco, last

A u g u s t sh o ws h o w d e p e n d e n t we a r e t o d a y o n t h e I n te r n e t a n d i n fo r ma t i o n t e ch n o l o g y i n

genera l , and how vu lne ra b le w e a re , " Kaspersky said.

He s topped shor t o f b laming any pa r t i cu la r p laye r beh ind the mass ive cyber -a t tacks across the

M idd le East, po in t i ng ou t tha t " ou r j ob i s no t to i de n t i t y hackers o r cybe r - te r ro r i s ts . Our f i rm is



Module 07 Page 1009


5/106


l i ke an X- ray mach ine , mean ing we can scan and iden t i f y a p rob lem, bu t we canno t say who o r

wha t i s beh ind i t . "

I ran , who con f i rmed tha t i t su f fe red an a t tack by F lame ma lware tha t caused severe da ta loss ,

b lames the Un i ted S ta tes and Is rael fo r un leash ing the cyber -a t tacks .

C o p y r i g h t 2 0 0 5 - 2 0 1 2 G l o b a lR e s e a r c h . c a

B y R u s s ia T o d a y

http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in-

cyber-espionage/5308867



Module 07 Page 1010
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in-http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in-


6/106


M odule Ob jectives CEH

J Computer Worms

J Worm Analysis

J Worm Maker

J Ma lwa re Analysis Procedure

J Online Malware Analysis Services

J Virus and Worms Countermeasures

J Antivirus Tools

J Penetration Testing for Virus

J Introduction to Viruses

J Stages of Virus Life

J Working of Viruses

J Indications of Virus Attack

J How does a ComputerGet Infected

by Viruses

y Virus Analysis

J Types of Viruses

J Virus Maker

Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.

M o d u l e O b j e c ti v e s

The ob jec t i ve o f th i s m odu le is to expose you to the va r ious v iruses and worm sava i lab le today . I t g i ves you in fo rm at io n abo u t a ll the ava i lab le v i ruses and worm s. Th is mo du le

examines the wo rk ings o f a co m pu te r v i rus , i ts func t ion , c lass i f ica t ion , and the m anne r i n wh ich

i t a f fec ts sys tems. Th is modu le w i l l go in to de ta i l abou t the va r ious coun te rmeasures ava i lab le

to p ro te c t aga ins t these v i rus in fec tions . The ma in ob jec t i ve o f th is m odu le is to edu ca te you

abo u t the ava i lab le v i ruses and worm s, i nd ica t ions o f the i r a t tack and the ways to p ro te c t

aga ins t va r ious v i ruses , and tes t ing your sys tem o r ne twork aga ins t v i ruses o r worms p resence .

Th is modu le w i l l fami l i a r i ze you w i th :

0 C o m p u t e r W o r m s

0 W o r m A n al ysi s

0 W o r m M a k er

0 Ma lwar e Ana lys i s P rocedure

0 Onl ine M alw are Analysis Services

0 V i ru s a nd Wo r ms

Co u n te r me a su r e s

0 An t i v i rus Too ls

Ethical H ac kif ^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i ll C i l


0 In t rod uc t ion to V i ruses

0 Stages of Virus Li fe

0 W o r k i n g o f V ir u se s

0 Ind ica t ions o f V i rus A t tack

0 How Does a Co mp ute r Ge t In fec ted by

Viruses?

0 Vi rus Analysis

0 Types of V i ruses

Modute07 !M aker


7/106


Types ofViruses

Virus andWorms

Concepts

ComputerWorms

Penetrat ionTesting

MalwareAnalysis

Counter-measures

Copyright by E&Ctlllcil.All Rights Reserved. Reproduction is Strictly Prohibit ed.

Module Flow

M o d u l e F lo w

Th is sec t ion in t roduces y ou to va r ious v iruses and w orm s ava i lab le toda y and g ives youa b r ie f ove rv iew o f each v i rus and s ta t i s t i cs o f v iruses and wo rm s in the recen t years. I t l is ts

va r ious types o f v i ruses and th e i r e f fec ts on y our sys tem. The w ork ing o f v i ruses in each phase

has w i l l be d i scussed in de ta i l . The techn iques used by the a t tacker to d i s t r i bu te ma lware on

the web a re h igh l i gh ted .

V i ru s a n d W o r m s C o n c ep t Malware Analysis

Types of Viruses,f|j||Countermeasures

/ Computer WormsV

^ Penetration Testing



Module 07 Page 1012


8/106


C EHIntroduction to V iru se s

_l A virus is a self-replicating program that produces its own copy by attaching itself

to another program, computer boot sector or document

J Viruses are generally transmitted through file downloads, infected disk/flash

drives and as email attachments

V i r u s C h a r a c t e r i s t i c s

Alters DataV%

Corrupts Files and

Programs %#

Self Propagates1 f 1m

Infects Other Program

m

Transforms Itself

F * Encrypts Itself


I n t r o d u c t i o n to V i ru s e sCo m pu te r v iruses have the po ten t ia l to wre ak h avoc on bo th bus iness and persona l

com pute rs . W or ldw ide , mo st bus inesses have been in fec ted a t some po in t . A v i rus is a se lf -

rep l i ca t ing p rog ram tha t p roduces i t s own code by a t tach ing cop ies o f i t i n to o the r execu tab le

codes. Th is v i rus opera tes w i th ou t the kno wle dge or desi re o f the user . L ike a rea l v i rus, a

co m pu te r v i rus is con tag ious and can con tam ina te o the r f i les . Howev er , v iruses can in fec t

ou ts ide mach ines on ly w i th the ass is tance o f compute r use rs . Some v i ruses a f fec t compute rs as

soon as the i r code i s execu ted ; o the r v i ruses l i e do rmant un t i l a p re -de te rmined log ica l

c i r cumstance is me t . There a re th ree ca tegor ies o f ma l i c ious p rogram s:

0 Tro jans and roo tk i ts

0 V i ruses

0 W o r m s

A w orm is a ma l i c ious p rogram th a t can in fec t bo th loca l and rem ote mach ines . W orm s sp read

au tom at i ca l l y by in fec t ing sys tem a f te r sys tem in a ne tw ork , and even sp read ing fu r the r to

o the r ne tworks . There fo re , worms have a g rea te r po ten t ia l fo r caus ing damage because they

do no t re l y on the user ' s ac t ions fo r execu t ion . There a re a l so ma l i c ious p rograms in the w i ld

th a t co n ta i n a ll o f t h e f e a tu r e s o f t h e se t h r e e ma l ic i o u s p r o g ra ms .



Module 07 Page 1013


9/106


Virus and Worm Statistics

2010 2011 2012

http://www. av-test. org

Copyright by E&Ctinctl.All Rights Reserved. Reproduction is Strictl y Prohibited.

2008

75,000,000

60,000,000

45,000,000

30,000,000

15,000,000

^ V i r u s a n d W o r m S t a ti s ti c s

Source: h t t p : / / w w w . a v - t e s t . o r g

Th is g raph ica l rep resen ta t ion g i ves de ta i l ed in f o rm at ion o f the a t tacks tha t have occur red in

the recen t years . Accord ing to the g raph , on ly 1 1 ,666 , 667 sys tems were a f fec ted by v iruses and

worms in the year 2008 , whereas in the year 2012 , the coun t d ras t i ca l l y i nc reased to

70 ,000 ,000 sys tems, wh ich means tha t the g rowth o f ma lware a t tacks on sys tems i s i nc reas ing

expo nen t ia l l y year by year .



Module 07 Page 1014
http://www/http://www.av-test.org/http://www.av-test.org/http://www/


10/106


75 .000 .000

60 .000 .000

45 .000 .000

30 .000 .000

15.000.000

0

2008 2009 2010 2011 2012

FIGURE 7.1: Virus and Worm Statistics

Mo dule 07 Page 1015 Ethical Hacking and Coun termea sures Copyright by EC-COUIlCil



11/106


Launch

It gets activated with

the user per forming

certain actions such

as running an

infected program

Repl icat ion

Virus replicates for

a period of t ime

with in the target

system and then

spreads itself

Design

Developing virus

code using

programming

languages or

construction kits

Detect ion

A virus is identi f ied

as threat in fect ing

target systems

Incorporat ion

Ant iv ir us so f twa re

developers

assimi la te defenses

against the virus

El iminat ion

Users install

ant ivi rus updates

and e l iminate the

virus threats

S t a g e s o f V i r u s L i fe

Co m pute r v i rus a ttacks sp read th roug h va r ious s tages f rom incep t ion to des ign toe l i m i n a t i o n .

1. Design:

A v irus code i s deve loped by us ing p rog ram m ing languages o r cons t ruc t ion k its. Anyone

w i th b as ic p r o g r a m m i n g kn o w l e d g e can c r e a te a v ir us .

2. Replication:

A v irus f i r s t rep l ica tes i t se l f w i th in a ta rg e t sys tem over a pe r iod o f t ime .

3. Launch:

I t i s ac t i va ted when a user pe r fo rms ce r ta in ac t ions such as t r i gger ing o r runn ing anin fec ted p rogram.

4. Detection:

A vi rus is ident i f ied as a threat in fect ing target systems. I ts act ions cause considerab le

d a ma g e to t h e t a r g e t sys te m ' s d ata .



Module 07 Page 1016


12/106


5. Incorporation:

Ant i v i rus so f tware deve lopers assemb le de fenses aga ins t the v i rus .

6. Elimination:

Users a re adv ised to i ns ta l l an t i v i rus so f tware upda tes , thus c rea t ing awareness among

user groups



Module 07 Page 1017


13/106


Working of Viruses: InfectionPhase

J In the infection phase, the virus repl icates itself

and attaches to an .exe file in the system

InfectionPhase

After Infect ionBefore Infect ion

*Vi rus In fec ted

File

Clean File

Copyright by EG-G0llicil.All Rights Reserved. Reproduction is Strictly Prohibit ed.

W o r k i n g o f V i ru s e s : I n f e c t i o n P h a s e

Vi ruses a t tack a ta rge t hos t ' s sys tem by us ing va r ious methods. They a t tachth e mse l ve s t o p r o g r a ms a n d t r a n sm i t t h e mse l ve s t o o th e r p r o g r a ms b y ma k i n g u se o f ce r ta i n

events. V i ruses need such events to take p lace s ince they cannot :

Self sta rt

I n fe c t o th e r h a r d wa r e

Cause physica l dam age to a co m pu ter

Trans mi t thems e lves us ing non -exe cu ta b le f il es

Genera l l y v i ruses have tw o phases, the in fec t ion phase and the a t tac k phase .

In the in fec t ion phase , the v i rus rep l i ca tes i t se l f and a t taches to an .exe f il e i n the sys tem.

Programs mod i f i ed by a v i rus in fec t ion can enab le v i rus func t iona l i t i es to run on tha t sys tem.

Vi ruses get enabled as soon as the in fected program is executed, s ince the program code leads

to the v i rus code. V i rus wr i te rs have to ma in ta in a ba lance among fac to rs such as:

How wi l l the v i rus in fec t?

How wi l l i t spread?

Ho w w i ll it r e si de in a t a r g e t co m p u te r ' s me m o r y w i t h o u t b ei ng d e te c te d ?

Mo dule 07 Page 1018 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil



14/106


Obvious ly , v i ruses have to be t r i ggere d and exec u ted in o rd e r to func t ion . There a re many ways

to execu te p rog rams wh i le a compute r i s runn ing . Fo r examp le , any se tup p rogram ca l l s fo r

n u m e r o u s p r o g r a ms th a t m a y b e b u i l t i n t o a sys te m, a n d so me o f t h e se a re d i s t r i b u t i o n

m ed ium p rograms. Thus, i f a v i rus p rog ram a l ready exis ts , i t can be ac t i va ted w i th th i s k ind o f

execu t ion and in fec t the add i t i ona l se tup p rogram as we l l .

There a re v i rus p rog rams tha t i n fec t and keep sp read ing every t im e they a re execu ted . Some

program s do no t i n fec t the p rograms whe n f i r s t execu ted . They reside in a com pute r ' s m em ory

and in fect programs at a la ter t ime. Such v i rus programs as TSR wai t for a speci f ied t r igger

even t to sp read a t a l a te r s tage . I t i s , the re fo re , d i f f i cu l t to recogn ize wh ich even t migh t t r i gger

th e e xe cu t io n o f a d o r m a n t v i r u s i n fe c ti o n .

Re fe r to the f i gu re th a t fo l l ow s to see ho w the EXE f i le i n fec t ion works .

In the fo l l ow ing f i gu re , the .EXE f i l e ' s header , when t r i ggered , execu tes and s ta r ts runn ing the

app l i ca t ion . Once th i s f i l e i s i n fec ted , any t r i gger even t f rom the f i l e ' s header can ac t i va te the

vi rus code too, a long wi th the appl icat ion program as soon as i t is run.

Q A f i l e v i rus in fec ts by a t tach ing i t se l f to an execu tab le sys tem app l i ca t ion p ro gram. Tex t

f i les such as source code, batch f i les, scr ip t f i les, e tc. , are considered potent ia l targets

fo r v i rus in fec t ions .

Boot sector v i ruses execute th e i r ow n code in the f i rs t p lace before the tar ge t PC is

b o o te d

Before In fec t i on A f te r I n fec t i on

N.exe

_uVirus Infected

File

FIGURE 7.2: Working of Viruses in Infection Phase

Clean File



Module 07 Page 1019


15/106


Working of Viruses: Attack r cuD U o q p V t 11

^ ^ UrtfW< ttkxjl NmIm

J Viruses are programmed with trigger events to activate and corrupt systems

J Some viruses infect each time they are run and others infect only when a certain

predefined condition is met such as a user's specific task, a day, time, or a

particular event

Unf ragmented File Before Att ack

File: A File: B

Page: 11

Page:2J _____________1

Page:3

1

Page: 1

1 1

Page:2 Page:3

A A

File Fragmented Due to Virus Att ack

Page: 1 Page:3 Page: 1 Page:3 Page:2 Page:2File: A File: B File: B File: A File: B File: A

Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.

W o r k i n g o f V i ru s e s : A t t ac k P h a s e

O n ce v i r u se s sp r e a d t h e mse l ve s t h r o u g h o u t t h e t a r g e t sys te m, t h e y s ta r t co r r u p t i n g

the f i l es and p rogra m s o f the hos t sys tem. Some v i ruses have t r i gger even ts tha t need to be

ac t i va ted to co r rup t the hos t sys tem. Some v i ruses have bugs tha t rep l i ca te themse lves , and

per fo rm ac t i v i t ies such as de le t ing f i l es and increas ing sess ion t im e .

They co r rup t the i r ta rge ts on ly a f te r sp read ing as in tended by the i r deve lopers . Most v i ruses

tha t a t tack ta rge t sys tems pe r fo rm ac t ions such as:

Q De le t ing f i les and a l te r ing c on t en t i n da ta fi les , the re by caus ing the sys tem to s low

d o w n

e Per fo rm ing tasks no t re la ted to app l i ca t ions , such as p lay ing mus ic and c rea t ing

a n i ma t i o n s



Module 07 Page 1020


16/106


U n f r a g m e n t e d F il e B e f o r e A t t a c k

File: A File: B

Page: 1 Page: 2 Page: 3 Page: 1 Page: 2 Page: 3

A

F i le F r a g m e n t e d D u e t o V ir u s A t t a c k

Page: 1File: A

Page: 3File: B

Page: 1File: B

Page: 3 Page: 2File: A File: B

Page: 2File: A

A A

FIGURE 7.3: Working of Viruses in Attack Phase

Refer to th is f igure, w hich has tw o f i les, A and B. In sect ion one, the t w o f i les are located one

a f te r the o the r i n an o rder l y fash ion . Once a v i rus code in fec ts the f i l e , i t a l te rs the pos i t i on ing

o f the f i les tha t we re c onse cu t i ve ly p laced , thus lead ing to i naccuracy in f i le a l l oca t ions , caus ing

the sys tem to s low do wn as users t r y to re t r i eve the i r fi l es . In th i s phase:

V i ruses execu te wh en some even ts a re t r i ggered

0 Some execu te and co r ru p t v ia bu i l t - in bug p rograms a f te r be ing s to red in the hos t ' s

m e m o r y

0 M ost vi ruses a re w r i t ten to concea l the i r p resence , a t tack ing on ly a f te r sp read ing in the

h o s t t o t h e f u l l e s t e x te n t



Module 07 Page 1021


17/106


Why Do People Create Computer r c uViruses UrtifWd|ttkiul Km Im

Computer Viruses

V u l n e r a b l e S y s t e m

J

J

J

Inflict damage to competitors

Financial benefits

Research projects

Play prank

Vandalism

Cyber terrorism

Distribute political messages

Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.

W h y D o P e o p l e C r e a t e C o m p u t e r V i ru s e s ?

Source: h t t p : / / w w w . s e c u r i t y d o c s . c o m

Co m pute r v i ruses are no t se lf -genera ted , bu t a re c rea ted by cyb er -c r im ina l m inds , i n ten t iona l l y

des igned to cause des t ruc t i ve occur rences in a sys tem. Genera l l y , v i ruses a re c rea ted w i th a

d is repu tab le mot i ve . Cyber -c r im ina ls c rea te v i ruses to des t roy a company 's da ta , as an ac t o f

vanda l i sm o r a p rank , o r to des t roy a com pany 's p roduc ts . Howe ver , i n some cases , v i ruses a re

ac tua l l y i n tended to be good fo r a sys tem. These a re des igned to improve a sys tem's

per fo rmance by de le t ing p rev ious ly embedded v i ruses f rom f i l es .

Some reasons v i ruses have been w r i t ten inc lude :

e In f li c t d a ma ge to co m p e t i t o r s

e Research pro jects

0 Pranks

Q Vanda l i sm

e At tack the p roduc ts o f spec i f i c compan ies

Distr ibute po l i t ica l messages

0 Financial gain



Module 07 Page 1022
http://www.securitydocs.com/http://www.securitydocs.com/


18/106

Exam 312-50 Certified Ethical Hacker

Q Iden t i t y the f t

Q Spyware

Q Cryp tov i ra l ex to r t i on

Ethical Hacking and CountermeasuresViruses and Worm s



Module 07 Page 1023


19/106

Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s

Processes take

mo re resou rces

a n d t i m e

Co m p u t e r s l ows

d o w n w h e n

prog rams s ta r t

Compu te r f r eezes

f r e q u e n t l y o r

e n c o u n t e r s e r r o r

I n d i c a t i o n s o f V i ru s A t ta c k s

An e f fec t i ve v i rus tends to mu l t i p l y rap id l y and may in fec t a number o f mach ineswi th in th ree to f i ve days . V i ruses can in fec t Word f i l es wh ich , when t rans fe r red , can in fec t the

mach ines o f the users who rece ive them . A v i rus can a lso make good use o f f i le se rve rs i n o rde r

to i n fe c t f il es . The fo l l ow ing a re ind ica t ions o f a v i rus a t tac k on a co m pu te r sys tem:

Q Programs take longer to load

Q The hard dr ive is a lways fu l l , even wi t ho ut insta l l ing any programs

Q The f lop py d isk dr ive or hard dr ive runs wh en i t is no t be ing used

9 Unk now n f i les keep appear ing on the sys tem

0 Th e ke yb o a r d o r t h e co m p u te r e m i t s s t ra n g e o r b e e pi n g so u nd s

Q The co m pu te r m on i to r d i sp lays s t range g raph ics

Q F ile names tu rn s t range , o f ten beyon d recogn i t i on

Q The hard d r i ve becomes inaccess ib le wh en t r y ing to boo t f rom the f l op py d r i ve

A pro gram 's s ize keeps changing

Q The mem ory on the sys tem seems to be in use and the sys tem s lows dow n



Module 07 Page 1024


20/106


How does a Computer GetInfected by Viruses

Whe n a user accepts files and dow nloads w ithout checking

properlyforthe source

ing infected e-mail attachm ents

Installing pirated so ftwa re

Not upda tingand not installing new versions of plug-ins

: running the latest anti-virus application

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

H ow D o e s a C o m p u t e r G e t I n fe c t e d b y V i ru s e s ?

There a re many ways in wh ich a com put e r ge ts in fec ted by v i ruses . The mo st po pu la rme thod s a re as fo l l ows:

W hen a user accep ts f i les and dow n load s w i th ou t checking p rope r l y fo r the source .

A t tackers usua l l y send v i rus- in fec ted f i les as ema i l a t tac hm ents to sp read the v i rus on

the v i c t im 's sys tem. I f the v i c t im opens the ma i l , the v i rus au tom at i ca l l y i n fec ts the

sys tem.

A t tackers inco rp ora te v iruses in pop u la r so f tw are p rograms and up load the in fec ted

so f twa r e o n we b s i t e s i n te n d e d t o d o wn l o a d so f twa r e . Wh e n th e v i c t i m d o wn l o a d s

in fec ted s o f tw are and ins ta ll s it , the sys tem ge ts i n fec ted .

Fa il ing to i ns tal l new ve rs ions o r upda te w i th l a tes t pa tches in tended to f ix the kn ownbugs may expose y our sys tem t o v i ruses .

W i th the increasing techno logy , a t tackers a lso are design ing new vi ruses. Fai l ing to use

la tes t an t i v i rus app l i ca t ions may expose you to v i rus a t tacks



Module 07 Page 1025


21/106


CEHC o m m o n T e c h n i q u e s U s e d to

D i s t r i b u te M a l w a r e o n t h e W e b

Malve r t i s ing

Embedding malware in ad-networks

that display across hundreds of

legitimate, high-traffic sites

C o m p ro m i s e d L e g i t i m a te Webs i tes

Hosting embedded malware that

spreads to unsuspecting visitors

Dr ive -by Down loads

Exploiting flaws in browser

software to install malware

just by visiting a web page

Source: Security Threat Report 2012 (http://www.sophos.com)

HB l a c k h a t S e arc h E n g i n e Opt im iza t ion (SEO)Ranking malware pages highly

in search results

Soc ia l Eng inee red C l i c k - j a c k i n g

Tricking users into clicking on

innocent-looking webpages

S p e a rp h i s h i n g S i t es

Mimicking legitimate institutions, ^

such as banks, in an attempt to jl.steal account login credentials


C o m m o n T e c h n i q u e s U s ed to D i s t r ib u t e M a l w a r e o n

^ t h e W e bSource : Secur i ty Th rea t Repor t 2012 ( h t t p : / / w w w . s o p h o s . c o m )

Blackhat Search Engine Optimization (SEO): Us i n g t h i s t e ch n i q u e t h e a t t a cke r r a n ks ma l wa r e

pages high in search results

Social Engineered Click-jacking: The a t tackers t r i ck the users in to c l i ck ing on innocen t - look ing

we b p ag es t h a t co n ta i n m a l wa r e

Spearphishing Sites: Th is techn iqu e is used fo r mim ick ing leg i t ima te ins t i tu t i ons , such as banks ,

in an a t tempt to s tea l accoun t l og in c reden t ia l s

Malvertising: Embeds ma lware in ad ne tworks tha t d i sp lay across hundreds o f l eg i t ima te , h igh -

t ra f f ic s i tes

Compromised Legitimate Websites: Ho s t e mb e d d e d ma l wa r e t h a t sp r e a d s t o u n su sp e c t i n g

v is i to rs

Drive-by Downloads: The a t tacker exp lo i ts f l aws in b rows er so f tware to i nsta ll ma lw are jus t by

vis i t ing a web page



Module 07 Page 1026
http://www.sophos.com/http://www.sophos.com/http://www.sophos.com/http://www.sophos.com/


22/106


Virus Hoaxes and FakeAntiviruses

A t t a c k e r s d is g u i s e m a l wa r e s a s a n a n t i v i ru s

and t r i ck use rs to ins ta l l them in the i r

s y s t e m s

Once ins ta l led these fake an t i v i r uses can

d a m a g e t a r g e t s y s t e m s s i m i l a r t o o t h e r

m a l wa r e s

J Ho a xe s a r e f a l s e a l a r m s c l a im i n g r e p o r t s

a b o u t a n o n - e x i s t i n g v i r u s wh i c h m a y

c o n t a i n v i r u s a t t a c h m e n t s

J W a r n i n g m e s s a ge s p r o p a g a t i n g t h a t a

c e r t a in e m a i l m e s s a g e s h o u l d n o t b e v ie we d

a n d d o i n g s o w i l l d a m a g e o n e ' s s y s t e m

*** A W C

w -

if srsr*

jy y |r J!!L

l ==:

tifai*ft-F0RWAI1r)T14l'WANINflAM0Nn'RlFN0VtAMIIVANnrONTArn

ntAsc rmv/Aflo mu wa rnin g among rniCNDS.rAMiiv and contacts Ho* houMt* kt d*'*tbv mat fmv Jwy v Co ikx cptn 1yiiim with 411etMchmvH vntlltvO>OSTCAAO 'ROM Uir.O RtMONATION Of BARACK OBAMA . regjrdll0f WhOsent IttO you It ISJ vlruStlWt Opers AKttr tAftU lMAOt, then Dim* th-whole run) Ca ol YOU' computer.

rih b lIvmNHM lWdil iuumnl Uy CNN Uni Imk Hid) U1I jyMlllWA l HUM(*sif jctivtvirasawf Thevirw ...1 .discovered bv McAfee vterdiv. ndthpp14nor tearj*for :h&

1>tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonkvL

Copyright by EG-G0llicil. All Rights Reserved. Reproduction is Strictly Prohibit ed.

V i r u s H o a x e s a n d F a k e A n t iv i ru s e s

V i r u s H o a x e s

A v i rus hoax is s imply a b lu f f . V i ruses, by the i r nature, have a lways created a

hor r i f y ing impress ion . Hoaxes a re typ ica l l y un t rue sca re a le r ts tha t unscrupu lous ind iv idua ls

send to c rea te havoc . I t i s fa i r l y common fo r i nnocen t use rs to pass these p h o n ymessages

a long th ink ing they a re he lp ing o the rs avo id the "v i rus . "

Hoaxes are fa lse a larms c la im ing repor ts abou t non -exist ing v i ruses

These warn ing messages, wh ich can be p ropag a ted rap id ly , s ta t ing tha t ace r ta in ema i l

message shou ld no t be opened , and tha t do ing so wo u ld damage one 's sys tem

In some cases , these warn ing messages them se lves con ta in v irus a t tachm ents

These possess the capab i l it y o f vas t des t ruc t ion on ta rge t sys tems

Many hoaxes t r y to "se l l " th ings tha t a re techn ica l l y nonsense . Never the less , the hoaxer has to

be som ew hat o f an expe r t to sp read hoaxes in o rde r to avo id be ing iden t i f i ed and caugh t .

There fo re , i t i s a good p rac t i ce to l ook fo r techn ica l de ta i l s abou t how to become in fec ted . A lso

search fo r i n fo rmat ion in the w i ld to l ea rn more abou t the hoax , espec ia l l y by scann ing bu l l e t i n

boards where peop le ac t i ve l y d i scuss cu r ren t happen ings in the commun i ty .



Module 07 Page 1027


23/106


Try to c rosscheck the iden t i t y o f the pe rson who has pos ted the warn ing . A lso look fo r m ore

i n fo r ma t i o n a b o u t t h e h o a x /w a r n i n g f r o m se co n d a ry so ur ces . B e fo re j u mp i n g t o co n c l u s io n s b y

r e a d in g ce r t a in d o cu m e n ts o n t h e I n te r n e t , ch eck t h e f o l l o w i n g :

Q I f i t is pos ted by newsgroup s tha t a re susp ic ious , c rosscheck the in fo rm at ion w i th

a n o th e r so u rce

I f the pe rson wh o has pos ted the news is no t a know n person in the co m m un i ty o r an

e xp e r t, c r o ssch e ck t h e i n fo r m a t i o n w i t h a n o th e r so u rce

0 I f a gov ernm en t body has pos ted the news, the pos t ing shou ld a lso have a re fe rence to

th e co r r e sp o n d i n g f e d e r a l r e g u l a t i o n

Q One o f the mos t e f fec t i ve checks is to l ook up the suspected hoax v i rus by name on

an t i v i rus so f tware vendor s i tes

Q I f the pos t ing is techn ica l , hun t fo r s i tes tha t wou ld ca te r to the techn ica l i t i es , and t r y to

a u t h e n t i c a t e t h e i n f o rm a t i o n

Subject : FORWARD THIS WARNI NG AM ONG FRIENDS, FAMILY AND CONTACTS

PLEASE FORWARD THIS WARNI NG AMO NG FRIENDS, FAMILY AND CONTACTSI You sho uld be aler t duri ng

the next f ew days. Do not ope n any message with an at tachm ent enti tled 'POSTCARD FROM BEJING or

'RESIGNATION OF 8ARACK OBAMA , regardless of wh o sent it t o you. It is a virus that opens A

POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.

This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most

destruct ive virus ever. The virus was discovered by McAf ee yesterday, and there is no repair yet f or this

kind of virus.

This virus simply destroys the Zero Sector of t he Hard Disc, where the vital informat ion is kept.

COPY THIS E MAIL, A ND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM, YOU WILL

BENEFIT ALL OF US.

End-of-mail

Thanks.

FIGURE 7.3: Hoaxes Warning Message

F a k e A n t i v i r u s e s

Fake ant iv i ruses is a method of a f fect ing a system by hackers and i t can po ison your

sys tem and ou tb re ak the reg is t r y and sys tem f il es to a l l ow the a t tacke r to take fu l l con t ro l and

access to yo ur com pute r . I t appears and p er fo rm s s imi la r l y to a rea l an t i v i rus p rog ra m.

Fake an t i v i rus p rog rams f i r s t appear on d i f fe ren t b rowsers and warn users tha t they have

d i f fe re n t sec ur i ty th rea ts on th e i r sys tem, and th i s message i s backed up by rea l susp ic ious

v i ruses . W hen the user t r i es to re m ove th e v i ruses , then th ey a re nav iga ted to an o the r page

where they need to buy o r subscr ibe to tha t an t i v i rus and p roceed to payment de ta i l s . These

fa ke a n t i v i ru s p r o g r a ms a re b e e n f a b r i ca te d i n su ch a wa y t h a t t h e y d r a w th e a t t e n t i o n o f th eunsuspect ing user i n to i ns ta l l i ng the so f tware .

Some o f the m ethod s used to ex tend the usage and ins ta l l a t i on o f fake an t i v i rus p rog ram s

include:

Ema i l and messag ing : A t tackers use spam ema i l and soc ia l ne tw ork in g messages to

sp read th i s type o f i n fec ted ema i l to use rs and p robe the user to open the a t tachments

fo r so f tware ins ta l l a t i on .



Module 07 Page 1028


24/106


Q S ea rch e n g i n e o p t i m i za t io n : At tackers genera te pages re la ted to pub l i c o r cu r ren t

search te rms and p lan t them to appear as ex t rao rd ina ry and the la tes t i n search eng ine

resu l ts . The web pages show a le r ts abou t i n fec t ion tha t encourage the user to buy the

fake ant iv i rus.

Q C o m p r o m i s e d w e b s i t e s : At tackers secre t l y b reak in to popu la r s i tes to i ns ta l l the fakean t i v i ruses , wh ich can be used to en t i ce users to down load the fake an t i v i rus by re l y ing

on the s i te ' s popu la r i t y .

J

a

Protection

a -wacy

I IPa th C \wC C^S\ JNt5^c^UJr^4i fV*g0a572

Inlrctiom 35

SMtWIq 0, M'S( p0M


25/106


Virus Analysis: DNSChanger CEH

J It acts as a bot and can be organized into a

BotNet and controlled from a remotelocation

J It spreads through emails, socialengineering tricks, and untrusteddownloads from the Internet

DNSChanger (Alureon) modifies the DNS

settings on the victim PC to divertInternet traffic to malicious websites inorder to generate fraudulent ad revenue,

sell fake services, or steal personalfinancial information

U H U

tJ DNSChanger has received significant

attention due to the large number ofaffected systems worldwide and the factthat as part of the BotNet takedown the FBI

took ownership of the rogue DNS servers toensure those affected did not immediatelylose the ability to resolve DNS names

$

< K >

DNSChanger malware achieves the DNS

redirection by modifying the followingregistry key settings against a interfacedevice such as network card

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\lnterfaces\%Random CLSID%NameServer

h ttp://www. totaldefense. com

Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.

V i r us A n a ly s is : D N S C h a n g e r

Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m

DNSChanger (A lu reon) i s ma lware tha t sp reads th rough ema i l s , soc ia l eng ineer ing t r i cks , and

un t rus ted down loads f rom the In te rne t . I t ac ts as a bo t and can be o rgan ized in to a bo tne t and

con t ro l l ed f rom a rem ote loca t ion . Th is ma lware ach ieves DNS red i re c t ion by mo d i fy ing the

sys tem reg is t ry key se t t i ngs aga ins t an in te r face dev ice such as ne tw or k ca rd .

DNSChanger has rece ived s ign i f i can t a t ten t ion due to the la rge number o f a f fec ted sys tems

wo r l d w i d e a n d t h e f a c t t h a t a s p a r t o f t h e b o tn e t t a ke d o w n , t h e FBI t o o k o w n e r sh i p o f r o g u e

DNS serve rs to ensure those a f fec ted d id no t immed ia te l y l ose the ab i l i t y to reso lve DNS

names. Th is can even mod i fy the DNS se t t i ngs on the v i c t im 's PC to d i ve r t In te rne t t ra f f i c to

ma l i c ious webs i tes in o rde r to genera te f raudu len t ad revenue , se l l fake se rv i ces , o r s tea l

pe rsona l f i nanc ia l i n fo rmat ion .

Ethical Hacking and Countermeasures C opyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 Page 1030
http://www.totaldefense.com/http://www.totaldefense.com/


26/106


Virus Analysis: DNSChanger( C o n t d )

The rogue DNS servers can exist in any of the following ranges:

64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255

77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255

85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255

DNSChangerL

DNSChanger sniffs thecredential and redirects the

request to real websiteReal Website

ww.xrecyritY-tP1

IP: 200.0.0.45

h ttp://www. tota !defense, com

Attacker runs DNS Server in

Russia (IP: 64.28.176.2)

DNSChanger infects victim's

computer by change her DNS IPaddress to: 64.28.176.2

Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.

tout V i r u s A n a l y s is : D N S C h a n g e r ( C o n t d)

Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m

The rogu e DNS servers can exist in any of the fo l low ing ranges:

67.210.15.25567.210.0.0,64.28.191.255-64.28.176.0

93.188.167.255-93.188.160.0,77.67.83.255-77.67.83.0

213.109.79.255-213.109.64.0,85.255.127.255-85.255.112.0

Ethical Hacking and Countermeasures C opyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 Page 1031
http://www.totaldefense.com/http://www.totaldefense.com/


27/106


Whal is the IP

address of

ww w. *security. corn

Real WebsitewvAv.xsecuritv.com

IP: 200.0.0.45

DNSChanger sniffs the

credential and redirects the

request to real website

Fake WebsiteIP: 65.0.0.2

>

DNS Request doto 64.28.176.2

>

Attacker runs DNS Server in

Russia (IP: 64.28.176.2)

DNSChanger infects victim's

computer by change her DNS IP

address to: 64.28.176.2

FIGURE 7.5: Virus Analysis Using DNSChanger

To in fect the sy stem and stea l credent ia ls, th e at ta cke r has to f i rs t run DNS server . Here the

at tacker runs h is or her DNSserver in Russia wi th an IP of , say, 64.28.176.2. Next , the at tacker

in fec ts the v i c t im 's compute r by chang ing h i s o r he r DNS IP address to : 64 .28 .176 .2 . When th i s

ma lware has in fec ted the sys tem, i t en t i re l y changes the DNS se tt i ngs o f the in fec ted mach ine

and fo rces a l l the DNS request to go to the DNSserve r run by the a t tacker . A f te r a l te r ing the

se t t i ng o f the DNS, any request tha t i s made by the sys tem is sen t to the ma l i c ious DNS serve r.

Here , the v i c t im sen t DNS Request wh a t i s t h e IP a d d r e ss o f www.xse cu r i t y . co m to(64.28.176.2) . The at tacker gave a response to the request as w w w . x s e c u r i t v . c o m . which is

loca ted a t 65 .0 .0 .2 . Wh en v i c t im 's b row ser connects to 65 .0 .0 .2 , i t red i rec ts h im o r he r to a fake

web s i te c rea ted by the a t tacker w i th IP: 65 .0 .0 .2. DNSChanger sn i ff s the c red en t ia l (user name,

passwords) and red i rec ts the request to real webs i te (w w w . x s e c u r i t y . c o m ) with IP: 200.0.0.45.

Mo dule 07 Page 1032 Ethical Hacking and Coun termea sures Copyright by EC-C0l1nCil

http://www.xsecuritv.com/http://www.xsecurity.com/http://www.xsecurity.com/http://www.xsecuritv.com/


28/106


CEHM odule Flow

Copyright by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.

= || M o d u le F lo w

Pr io r to th i s , we have d iscussed abo u t v i ruses and worm s. Now we w i l l d iscuss abou t

d i f fe re n t types o f v iruses .

V ir u s a n d W o r m s C o n c e p t X M a l w a r e A n al y si s

i C Types o f V i ruses C o u n t e r m e a s u r e s

y C o m p u t e r W o r m s

v^ ) P e n e t r a t i o n Te s t in g

Th is sec t ion descr ibes ab ou t d i f fe re n t types o f V iruses .

Comput e r

Worms

Ma lware

A nal ys is

V i rus and Worms

Concep t s

Penet ra t ion

Test ing

Counter

measures

Ethical Hacking and Countermeasures C opyright by EC-C0UnCil


Module 07 Page 1033


29/106


MetamorphicPolymorphicEncryption

SparseInfectorVirus

Cluster

Viruses

Direct Action

or Transient

Stealth Virus/

TunnelingVirus

System orBoot Sector

Viruses

Multipartite

T y p e s o f V i ru s e s

So fa r , we have d iscussed va r ious v i rus and worm concep ts . Now we w i l l d i scussvar ious types o f v i ruses .

Th is sec t ion h igh l i gh ts va r ious types o f v iruses and worm s such as fi l e and m u l t i pa r t i te v i ruses ,

macro v i ruses , c lus te r v i ruses , s tea l th / tunne l ing v i ruses , encryp t ion v i ruses , me tamorph ic

v i ruses , she l l v i ruses , and so on . Compute r v i ruses a re the ma l i c ious so f tware p rograms wr i t ten

b y a tt a cke rs t o i n te n t i o n a l l y e n te r th e t a r g e te d sys te m w i t h o u t t h e u se r ' s p e r m i ss i o n . As a

r e su l t, t h e y a f f e c t t h e se cu r i t y sys tem a n d p e r fo r ma n ce o f t h e ma ch i n e . A f e w o f th e mo s t

common types o f compute r v i ruses tha t adverse ly a f fec t secur i ty sys tems a re d i scussed in

de ta i l on the fo l l ow ing s li des.

T y p e s o f V i ru s e sVi ruses a re c lass if i ed d epen d ing on tw o ca tegor ies :

Q W ha t Do They In fec t?

How Do They In fect?



Module 07 Page 1034


30/106


What Do They Infect?

System or Boot Sector Viruses

f*. _ The most com m on ta rge ts fo r a v i rus a re the sys tem sec tors , wh ich a re no th ing bu t

the Maste r Boo t Record and the DOS Boo t Record Sys tem sec to rs . These a re the a reas on the

disk that are executed when the PC is booted. Every d isk has a system sector o f some sor t . They

spec ia ll y i n fec t the f l o pp y bo o t sec to rs and records o f the ha rd d isk . Fo r examp le : D isk K il le r

and Stone v i rus.

File Viruses

Executab le f i les are in fected by f i le v i ruses, as they inser t the i r code in to the or ig ina l

f i l e and ge t execu ted . F i l e v i ruses a re la rge r i n number , bu t they a re no t the most common ly

fou nd . They in fec t in a va r ie ty o f ways and can be fou nd in a large num be r o f f i le types.

M ultipart i te Virus

They in fec t p rog ram f i les , and th is f i le i n tu rn a f fec ts the bo o t sec to rs such as Invader ,Fl ip, and Tequi la.

C luster Viruses

Clus te r v i ruses in fec t f i les w i th ou t chang ing the f i l e o r p lan t ing ex t ra f i les ; they change

the DOS d i rec to ry i n fo rm at ion so tha t en t r i es po in t to the v i rus code ins tead o f the ac tua l

p r o g r a m.

M acro Virus

M i c r o s o f t W o r d o r a s i m i la r a p p li ca t io n ca n b e i nfe c te d t h r o u g h a co m p u te r v ir u s

ca lled a macro v i rus , wh ich au tom at i ca l l y pe r fo rms a sequence o f ac t ions when th e

app l i ca t ion i s t r i ggere d o r so me th ing e lse . Macro v i ruses a re som ew hat l ess ha rmfu l than o the r

types. They are usual ly spread v ia an emai l .

How Do They Infect?

Stealth V iruses These v i ruses t r y to h ide thems e lves f rom an t i v i rus p rog rams by ac t i ve l y a l te r ing andcor rup t ing the chosen se rv i ce ca l l i n te r rup ts when they a re be ing run . Requests to pe r fo rm

operat ions in respect to these serv ice ca l l in ter rupts are rep laced by v i rus code. These v i ruses

s ta te fa l se in fo rmat ion to h ide the i r p resence f rom an t i v i rus p rog rams. For examp le , the s tea l th

v i rus h ides the opera t ions tha t i t mod i f i ed and g ives fa l se rep resen ta t ions . Thus , i t takes overpor t i ons o f the ta rge t sys tem and h ides i ts v i rus code .

Life: Tu nneling VirusesTh ese v ir u se s t ra ce t h e s tep s o f i n t e r ce p to r p r o g r a ms th a t m o n i t o r o p e r a t i n g sys te m

requests so tha t they ge t i n to B IOS and DOS to ins ta ll themse lves . To pe r fo rm th i s ac t i v it y , they

e ven t u n n e l u n d e r a n t i v ir u s so f twa r e p r o gr a ms .

Mo dule 07 Page 1035 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil



31/106


\Enc ryption V iruses

c _ Th is type o f v i rus cons is ts o f an enc ryp te d copy o f the v i rus and a decry p t ion m odu le .

Th e d e c r yp t i n g mo d u l e r e ma i n s co n s ta n t , wh e r e a s t h e d i f f e r e n t keys ar e u se d f o r e n c r yp t i o n .

Polymorphic Virusesiri), These v i ruses were deve loped to con fuse an t i v i rus p rog rams tha t scan fo r v i ruses in

the sys tem. I t i s d i f f i cu l t to t race them, s ince they change the i r charac te r i s t i cs each t ime they

in fec t , e .g ., eve ry copy o f th i s v i rus d i f fe rs f rom i ts p rev ious one . V i rus d eve lop ers have even

c r e a te d m e ta m o r p h i c e n g i ne s a n d v ir u s w r i t i n g t o o l k i ts t h a t m a ke t h e co d e o f an e x i s ti n g v i ru s

look d i f fe ren t f rom o the rs o f i t s k ind .

M etamo rphic Viruses

A code tha t can rep rogram i tse l f i s ca l l ed metamorph ic code . Th is code i s t rans la ted

i n to t h e t e m p o r a r y co d e , an d t h e n co n ve r te d b a ck t o t h e n o r ma l co de . Thi s t e ch n i q u e , i n wh ich

the o r ig ina l a lgo r i thm rema ins in tac t , is used to avo id pa t te rn recogn i t i on o f an t iv i rus so f tware .

Th is is mo re e f fec t i ve in com par i son to po lym orp h ic code . Th is type o f v i rus cons is ts o f com p lex

extensive code.

O verw riting File or Cavity V iruses

Some p rogram f i les have a reas o f em pty space . Th is em pty space is the ma in ta rg e t o f

these v i ruses. The Cavi ty V i rus, a lso known as the Space Fi l le r V i rus, stores i ts code in th is

empty space . The v i rus ins ta l l s i t se l f i n th i s unoccup ied space w i thou t any des t ruc t ion to the

or ig ina l code. I t insta l ls i tse l f in the f i le i t a t tempts to in fect .

Sparse Infector VirusesA sparse in fec to r v irus in fec ts on ly occas iona l l y (e .g ., eve ry ten th p rog ram execu ted)a

or on ly f il es whose leng ths fal l w i th in a na r row range .

Com panion Viruses

The comp an ion v i rus s to res it se l f by hav ing the ide n t i ca l f i l ena m e as the ta rge ted

program f i le . As soon as tha t f i le is exec u ted , the v i rus in fec ts the com pute r , and ha rd d i sk da ta

is modi f ied.

^ Cam ouf lage Viruses

W -------- They d isguise them selve s as genu ine appl icat ions of the user . These v i ruses are not

d i f f i cu l t to f i nd s ince an t i v i rus p rog rams have advanced to the po in t where such v i ruses a re

easi ly t raced .

Shell Viruses

_____ Th is v i rus code fo rms a laye r a round the ta rge t hos t p rog ra m's code tha t can be



Module 07 Page 1036


32/106


co mp a r e d t o a n "e g g sh e l l / m ak ing i t se l f the o r ig ina l p rog ra m and the h os t code it s sub-rou t ine . Here, the o r ig ina l code i s mov ed to a new loca t ion by the v i rus code and the v i rus

assumes i ts i den t i t y .

File Extension VirusesF .

File ex ten sion v i ruses change th e e xtension s o f f iles; .TXT is safe, as i t ind icates a pure

tex t fi l e. I f you r com pute r ' s f i l e ex tens ion s v iew is tu rn ed o f f and some one sends you a f i le

named BAD.TXT.VBS, you wi l l see on ly BAD.TXT.

>' f| Add -on V iruses

M ost v i ruses are add-on v i ruses . Th is type o f v irus appends i ts code to the beg inn ing

o f the hos t code w i th ou t mak ing any changes to the la t te r . Thus, the v irus co r rup ts the s ta r tup

in fo rm at ion o f the h os t code , and p laces i t se lf in i ts p lace , bu t i t does no t touc h the hos t code .

However , the v i rus code i s execu ted be fo re the hos t code . The on ly i nd ica t ion tha t the f i l e i s

co rrup ted is th at the s ize of the f i le has increased.

Intrusive V iruses

Th is f o r m o f v i ru s o ve r wr i t e s it s co d e e i t h e r by co m p l e te l y re mo v i n g t h e t a r g e t h os t 'sp rogram code , o r somet imes i t on ly ove rwr i tes pa r t o f i t . There fo re , the o r ig ina l code i s no t

execu ted p roper l y .

Direct Action or T ransient V iruses

Trans fe rs a l l con t ro l s to the hos t code where i t res ides , se lec ts the ta rge t p rog ram to

be mod i f i ed , and co r rup ts i t .

= T erm inate an d Stay R esiden t V iruses (TSRs)

ffr A TSR v i rus rema ins pe rm ane n t l y i n m em ory du r ing the en t i re w ork sess ion , even

a f te r the ta rg e t hos t p rog ram is execu ted and te rmina ted . I t can be remo ved on ly by rebo o t in g

the sys tem.



Module 07 Page 1037


33/106


System or Boot Sector Viruses CEH

Execut ion

When system boots, virus

code is executed first and then

control is passed to original

MBR

o

Before Infect ion

Boot Sector Virus

Boot sector virus moves MBR to

another location on the hard disk

and copies itself to the original

location of MBR

Af ter Infect ion

MBRVirus Code


S y s t e m o r B oo t S e c t o r V i r u s e s

System sec to r v iruses can be de f ined as those th a t a f fec t the ex ecu ta b le code o f the

d isk , ra the r than th e boo t sec to r v irus tha t a f fec ts the DOS boo t sec to r o f the d isk . Any sys tem

is d iv ided in to areas, ca l led sectors, where the programs are stored.

The two types o f sys tem sec to rs are :

Q M B R ( M a s te r B o o t Reco r d )

MBRs a re the m ost v i rus-p rone zones because i f the M B R i s cor rupted, a l l data wi l l be

lost.

0 DBR (DOS Bo ot Record )

The DOS bo ot sec tor is exec uted w he ne ve r the s ystem is boo ted . Th is is the crucia l

p o i n t o f a t t a ck f o r v i ru ses .

The sys tem sec to r cons is ts o f 512 by tes o f m em ory . Because o f th i s , sys tem sec to r v i ruses

concea l the i r code in some o the r d i sk space . The ma in ca r r ie r o f sys tem sec to r v i ruses i s the

f lop py d isk. These v i ruses genera l ly reside in the m em ory. T hey can a lso be caused by Tro jans.

Some sec to r v iruses al so sp read th roug h in fec ted f i les , and they a re ca l led m u l t i pa r t v i ruses .

m



Module 07 Page 1038


34/106


Virus Removal1

System sec to r v i ruses a re des igned to c rea te the i l l us ion tha t the re i s no v i rus on the

sys tem. One way to dea l w i th th i s v irus is to avo id the use o f the W ind ow s op era t ing

sys tem, and swi tch to L inux o r Macs , because Windows i s more p rone to these a t tacks . L inux

and Mac in tosh have a bu i l t - i n sa feguard to p ro tec t aga ins t these v i ruses . The o the r way i s to

carry out ant iv i rus checks on a per iod ic basis.

Before Infection

After Infect ion

V

G

OVirus Code

FIGURE 7.6: System or Boot Sector Viruses



Module 07 Page 1039


35/106


File and Multipartite Viruses CEH

F i le a n d M u l t ip a r t i t e V i r u s e s

File VirusesFi le v i ruses in fect f i les that are executed or in terpreted in the system such as COM, EXE,

SYS, OVL, OBJ, PRG, MN U, and BAT f i les. Fi le viruses can be ei t he r dir ec t-a ct ion (no n-re sid en t)

o r memory- res iden t . Overwr i t i ng v i ruses cause i r reve rs ib le damage to the f i l es . These v i ruses

ma in ly ta rge t a range o f op era t ing sys tem s tha t i nc lude Window s, UNIX, DOS, and M ac in tosh .

C harac terizing File Viruses

Fi le v i ruses are main ly character ized and descr ibed based on the i r physica l behavior or

character is t ics. To c lassify a f i le v i rus is by the typ e of f i le targ ete d by i t , such as EXE or COM

fi les, the b oo t sector , e tc. A f i le v i rus can also be chara cter iz ed based on how i t in fects the

targeted f i le (a lso known as the host f i les) :

Q P r e p e n d i n g : wr i tes i t se l f i n to the beg inn ing o f the hos t f i l e 's code

Q A p p en d in g : wr i tes i t se l f to the end o f the hos t fi l e

O ve r w r i t i n g : overwr i tes the hos t f i l e ' s code w i th i t s own code

Q Inse r t i ng : inser ts i tse l f in to gaps ins ide the host f i le 's code

Module 07 Page 1040 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil



36/106


Co m p a n i o n : renames the o r ig ina l f i le and wr i tes i t se l f w i th the hos t f il e 's nam e

Cav i ty i n fec to r : wr i tes i t se l f be tw een f i le sec t ions o f 32 -b i t fi l e

F il e v i ruses a re a lso class i fi ed based on wh e th er they a re no n-m em ory res iden t o r m em ory

res iden t . Non-memory res iden t v i ruses search fo r EXE f i l es on a ha rd d r i ve and then in fec t

them, whereas memory res iden t v i ruses s tays ac t i ve l y i n memory , and t rap one o r more sys temfunc t ions . F i l e v i ruses a re sa id to be po lymorph ic , encryp ted , o r non-encryp ted . A po lymorph ic

o r encryp ted v i rus con ta ins one o r more decryp to rs and a ma in code . Ma in v i rus code i s

decryp te d by the dec ryp to r be fo re i t s ta rts . An encryp ted v i rus usua l l y uses va r iab le o r f i xed -

ke y d e c r yp to r s , wh e r e a s p o l ymo r p h i c v i r u se s h a ve d e c r yp to r s t h a t a r e r a n d o ml y g e n e r a te d

f rom ins t ruc t ions o f p rocessors and tha t cons ist o f a l o t o f comm ands th a t a re no t used in the

d e c r yp t i o n p ro cess .

Execu t ion o f Pay load :

Di rec t ac t ion : Imm ed ia te l y upon execu t ion

T ime bom b: A f te r a spec i f ied pe r iod o f t ime

Cond i t i on t r i ggered : On ly unde r ce r ta in cond i t i ons

Q M ultipartite Viruses

A m u l t i p a r t i t e v i r us i s a lso kn o wn as a m u l t i - p a r t v i ru s t h a t a t t e mp ts t o a t t a ck b o th

the boo t sec to r and the e xecu tab le o r p rog ra m f i l es a t the same t im e . W hen rgw v i rus i s

a t tached to the boo t sec to r , i t w i l l i n tu rn a f fec t the sys tem f i l es , and then the v i rus a t taches to

the f i les , and th i s t ime i t w i ll i n tu rn in fec t the b oo t sec to r .

FIGURE 7.7: File and Multipartite Viruses



Module 07 Page 1041


37/106


M a c r o V i r u s e s CEHUrt1fw4 ilhiul lUtbM

0

11.

Infects Macro Enabled Documents

0

0UserAttacker0

0 Macro viruses infect

templates or convert

infected documents

into template files,while maintainingtheir

appearance of ordinary

documentfiles

V

0 0

0 0

r

0 Most macro viruses are

written using macro

language Visual Basic

for Applications (VBA)

r0 0

Copyright by EC-CaIllic it Al 1Rights Reserved. Reproduction is Strictly Prohibited.

M a c r o V i ru s e s

Mi c r o s o f t Wo r d o r s i m il a r a p pl i ca t i o n s ca n b e in fe c te d t h r o u g h a co m p u te r v i r u s

ca lled macro v i rus , wh ich a u tom at i ca l l y p e r fo rm s a sequence o f ac t ions whe n the app l i ca t ion i s

t r i ggered o r someth ing e l se . Most macro v i ruses a re wr i t ten us ing the macro language V isua l

B as ic f o r A p p l i ca t i o n s ( V B A ) a nd t h e y i n fe c t t e m p l a te s o r co n ve r t i n f e c te d d o cu m e n ts i n to

te m p l a te f i le s , wh i l e m a i n ta i n in g t h e i r a p p e a r an ce o f o r d i n a r y d o cu me n t f il es . M a c r o v i r u se s

are some wh at l ess ha rm fu l than o th e r types . They a re usua l l y sp read v ia an ema i l . Pu re da ta

f i les do no t a l l ow the sp read o f v i ruses , bu t som et imes the l ine be tw een a da ta f il e and an

execu tab le f i l e i s eas i l y ove r looked by the average user due to the ex tens ive macro languages

in some programs. In most cases, just to make th ings easy for users, the l ine between a data f i le

and a p rog ram s ta r ts to b lu r on ly i n cases where th e d e fau l t macros a re se t to run au tom at i ca l l y

every t im e the da ta f il e is l oaded . V i rus wr i te rs can exp lo i t com m on p rograms w i th m acro

capab i l i t y such as Mic roso f t Word , Exce l , and o the r O f f i ce p rog rams. Windows He lp f i l es cana lso con ta in macrocode . In add i t i on , the la tes t exp lo i ted macrocode ex is ts i n the fu l l ve rs ion o f

the A croba t p rog ram tha t reads and wr i te s PDF f il es.



Module 07 Page 1042


38/106


Infects Macro Enabled Documents

Attacker User

FIGURE 7.8: Macro Viruses



Module 07 Page 1043


39/106


C EHC lu s t e r V ir u s e s

Cluster V i ruses aI:

: * ]J Cluster viruses modify directory table entries so that it

points users or system processes to the virus code instead

of the actual program

Vi rus Copy

J There is only one copy of the virus on the disk infecting

all the programs in the computer system

Launch I t se l f

J It will launch itself first when any program on the

computer system is started and then the control is

passed to actual program

Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited

C l u s t e r V ir u s e s

Clus te r v i ruses in fec t f i les w i th ou t chang ing the f i l e o r p lan t ing ex t ra f i l es they changethe DOS d i rec to ry i n fo rm at ion so tha t en t r i es po in t to the v i rus code ins tead o f the ac tua l

p rog ram. When a p rog ram runs DOS, i t f i r s t l oads and execu tes the v i rus code , and then the

vi rus locates the actua l prog ram and execute s i t. Di r -2 is an exam ple o f th is type of v i rus.

C lus te r v i ruses mod i fy d i rec to ry tab le en t r i es so tha t d i rec to ry en t r i es po in t to the v i rus code .

There i s on ly one copy o f the v i rus on the d i sk in fec t ing a ll the p rog ram s in the c om pu te r

sys tem. I t w i l l l aunch i t se l f f i r s t when any p rogram on the com pu te r sys tem i s s ta r ted and then

the c on t ro l is passed to the ac tua l p rog ram.



Module 07 Page 1044


40/106


S t e a l t h / T u n n e l in g V ir u s e s CEH

These viruses evade the anti-virus software by intercepting its requests

to the operating system

A virus can hide itself by intercepting the anti-virus software's request to

read the file and passingthe request to the virus, instead of the OS

The virus can then return an uninfected version of the file to the anti-

virus software, so that it appears as if the file is "clean"

i fHides InfectedTCPIP.SYS

Here you go

Original TCPIP.SYS

Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.

S t e a l th / T u n n e l in g V i r u se s

I S teal th V iruse s

These v i ruses t r y to h ide themse lves f ro m an t i v i ru s p rog ram s by ac t i ve ly a l te r ing and

cor rup t ing the chosen se rv i ce ca l l i n te r rup ts when they a re be ing run . Requests to pe r fo rm

operat ions in respect to these serv ice ca l l in ter rupts are rep laced by v i rus code. These v i ruses

s ta te fa l se in fo rmat ion to h ide the i r p resence f rom an t i v i rus p rog rams. For examp le , the s tea l th

v i rus h ides the opera t ions tha t i t mod i f i ed and g ives fa l se rep resen ta t ions . Thus , i t takes over

por t i ons o f the ta rg e t sys tem and h ides i ts v i rus code .

The s tea l th v i rus h ides i t se l f f rom an t i v i ru s s o f twa re by h id ing the o r ig ina l s ize o f the f i l e o r

tem po ra r i l y p lac ing a copy o f i t se l f i n some o the r d r i ve o f the sys tem, thus rep lac ing the

in fec ted f i l e w i th the un in fec te d f i l e tha t i s s to red on the ha rd d r ive .

A s tea l th v i rus h ides the m od i f i ca t ions th a t i t makes. I t takes con t ro l o f the sys tem 's func t ions

tha t read f i l es o r sys tem sec to rs and , when ano ther p rog ram requests i n fo rmat ion tha t has

a l re a d y b e e n mo d i f ie d b y t h e v i ru s , th e s te a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t in g

program ins tead. Th is v i rus a l so resides in the me mo ry .

To avo id de tec t ion , these v i ruses a lways take over sys tem func t ions and use them to h ide the i r

presence.



Module 07 Page 1045


41/106


One o f the ca r r ie rs o f the s tea l th v i rus i s the roo tk i t . Ins ta ll i ng a roo tk i t gen era l l y resu lts i n th i s

v i rus a t tack because rootk i ts are insta l led v ia Tro jans, and thus are capable o f h id ing any

ma l wa r e .

Re mo va l :

Q A lways do a co ld boo t (boo t f rom wr i te -p ro tec ted f l op py d isk o r CD)

Neve r use DOS com m an ds such as FDISK to f ix the v i rus

Use an t i v i rus so f tw are

Tunneling Viruses

e

/

Th e se v i r u se s t r a ce t h e s te p s o f i n t e r ce p to r p r o g r a ms th a t mo n i t o r o p e r a t i n g sys te m

requests so tha t they ge t i n to B IOS and DOS to ins ta ll themse lves . To pe r fo rm th i s ac t iv i t y , they

e ven t u n n e l u n d e r a n t i v i r u s so f twa r e p r o g ra ms .

*Hides Infected

TCPIP.SYS

Give me the system filetcpip.syi to icon

VIRUS

Anti-virus

Software

Here you go

Original TCPIP.SYS

FIGURE 7.9: Working of Stealth/Tunneling Viruses



Module 07 Page 1046


42/106


E n c r y p t io n V i r u s e s CEH

Virus Code

V

Encryption

Virus 3

Encryption

Virus 2

This type of virus uses simpleencryption to encipher the code

- /

AVscanner cannot directlydetect these types ofviruses using signaturedetection methods

r

The virus is encrypted witha different key for eachinfected file

V.


E n c r y p t io n V i ru s e s

Th is type o f v irus cons is ts o f an enc ryp te d c opy o f the v i rus and a dec ryp t ion mod u le .

The decryp t ing modu le rema ins cons tan t , whereas the d i f fe ren t keys a re used fo r encryp t ion .

These v i ruses genera l l y emp lo y XOR on each by te w i th a random ized key.

The v i rus is enc iphered w i th an encry p t ion key tha t cons ists o f a decry p t ion m odu le and

an encryp ted c opy o f the code .

For each in fected f i le , the v i rus is encrypted by using a d i f ferent combinat ion of keys,

b u t t h e d e c r yp t i n g m o d u l e p a r t r e ma i n s u n ch a n g e d .

I t i s no t poss ib le fo r the v i rus scanner to d i rec t l y de tec t the v i rus by means o f

s i g n a tu r e s , b u t t h e d e c r y p t i n g m o d u l e can b e d e te c te d .

The decryp t ion te chn iq ue e mp loyed is x o r each by te w i th a rand om ized key tha t is

genera ted and saved by the ro o t v i rus .

Q

e



Module 07 Page 1047


43/106


Virus Code

Encryption

Virus B

Encryption

Virus 2

Encryption

Virus 1

FIGURE 7.10: Working of Encryption Viruses



Module 07 Page 1048


44/106


CEHP o l y m o r p h i c C o d e

J Polymorphic code is a code that mutates while keeping the original algorithm intact

J To enable polymorphic code, the virus has to have a polymorphic engine (also called

mutating engine or mutation engine

J A well-written polymorphic virus therefore has no parts that stay the same on each

infection

3 9 -Encrypted Mutation

Engine

Encrypted Virus ............

Code Decryptor

routine decrypts

virus code and

Decryptor Routine mutation engine

New Polymorphic

Virus

RAMUser Runs anInfected Program


P o l y m o r p h i c C o d e

Po lymorph ic v i ruses mod i fy the i r code fo r each rep l i ca t ion in o rde r to avo id de tec t ion .

They accomp l i sh th i s by chang ing the encryp t ion modu le and the ins t ruc t ion sequence . A

r a n d o m n u m b e r g e n e r a to r is u se d fo r i m p l e m e n t i n g p o l y m o r p h i s m .

A muta t ion eng ine i s genera l l y used to enab le po lymorph ic code . The muta to r p rov ides a

sequence o f i ns t ruc t ions tha t a v i rus scanner can use to op t im ize an appropr ia te de tec t ion

a lgo r i thm. S low po lymorph ic codes a re used to p reven t an t i v i rus p ro fess iona ls f rom access ing

the codes.

Vi rus samples, which are ba i t f i les a f ter a s ing le execut ion is in fected, conta in a s imi lar copy of

the v i rus . A s imp le in teg r i ty checker is used to de tec t th e p resence o f a po ly mo rph ic v i rus in the

system's d isk.



Module 07 Page 1049


45/106


New Polymorphic

Virus

Encrypted Mutation

Engine (EME)

A A0 Instruct toAInstruct to

Decryptor

routine decrypts

virus code and

mutation engine

Virus Does the Damage

RAM

ncrypted M utation

Engine

j Encry

Encrypted Virus

Code

i I

iDecryptor RoutineI

*User Runs an

Infected Program

FIGURE 7.11: How Polymorphic Code Work

P o l ymo r p h i c v i ru se s co ns i st o f t h r e e co mp o n e n ts . Th e y a r e t h e e n c r yp te d v i r u s co d e , t h e

d e c r yp to r r o u t i n e , a n d t h e m u ta t i o n e n g in e . The f u n c t i o n o f th e d e c r yp to r r o u t i n e i s t o d e c r yp t

t h e v i r u s cod e . I t d e c ryp t s t h e co d e o n l y a f t e r ta k i n g co n t r o l o ve r t h e co mp u te r . Th e m u ta t i o n

eng ine genera tes randomized decry p t ion rou t ines . Th is decryp t ion rou t ines va ries every t im e

wh en a new p rogram is i n fec ted by the v i rus .

Wi th a po lymorph ic v i rus , bo th the muta t ion eng ine and the v i rus code a re encryp ted . When a

program tha t i s i n fec ted w i th a po lym orph ic v irus is run by the user , the d ecry p to r rou t ine takes

co mp l e te co n t r o l o ve r t h e sys te m, a f t e r wh i ch i t d e c ryp t s t h e v i ru s co d e a n d t h e m u ta t i o n

eng ine. Next , the con t ro l